Post Upgrade 20.7 NTOPNG GeoIP Download Fails - Authentication Error

Started by mush2020, August 02, 2020, 12:05:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 02, 2020, 12:05:23 PM
After upgrading Opnsense to 20.7 ntopng geoip showing authentication error while trying to get geoip
Tried with new key still fails to download

/usr/local/bin # ntopng-geoip2update.sh
Fetching GeoLite2-City
SSL certificate subject doesn't match host download.maxmind.com
fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz: Authentication error
geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz download failed

Anything changed or anyone has direction to fix this?
August 14, 2020, 09:39:26 PM #1
New error seen, could anyone assist.

/usr/local/bin # ntopng-geoip2update.sh
Fetching GeoLite2-City
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
4667418046464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=MyKEY&suffix=tar.gz: Authentication error
geoip_download?edition_id=GeoLite2-Country&license_key=MyKey&suffix=tar.gz download failed
August 14, 2020, 09:53:58 PM #2 Last Edit: August 15, 2020, 11:31:00 AM by hushcoden
This is from a post by marjohn56:

root@gateway:~ # cd /usr/local/opnsense/scripts/filter/lib

root@gateway:/usr/local/opnsense/scripts/filter/lib # python3

You will now be seeing the Python interpreter.

>>> from geoip import download_geolite
>>> download_geolite()

Wait a few seconds and if you have got the correct url and licence you should see something like this:

{'address_count': 433499, 'file_count': 499, 'timestamp': '2020-01-06T23:45:56', 'locations_filename': 'GeoLite2-Country-Locations-en.csv', 'address_sources': {'IPv4': 'GeoLite2-Country-Blocks-IPv4.csv', 'IPv6': 'GeoLite2-Country-Blocks-IPv6.csv'}}

Hit Ctrl-d to exit the Python interpreter.
August 15, 2020, 04:42:01 PM #3 Last Edit: August 15, 2020, 04:43:58 PM by mush2020
Thanks Husgcoden,
I could see this in shell
/usr/local/opnsense/scripts/filter/lib # python3
Python 3.7.8 (default, Jul 27 2020, 22:43:18)
[Clang 8.0.1 (tags/RELEASE_801/final 366581)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> from geoip import download_geolite
>>> download_geolite()
{'address_count': 0, 'file_count': 0, 'timestamp': None, 'locations_filename': N                  one, 'address_sources': {'IPv4': None, 'IPv6': None}}

I had chat with maxmind, first query was about TLS v and it should be TLS 1.3
Other assumption i have is that, even though i have my license key valid and i could download GeoIP database locally through same URL that is in ntopng-geoip2update.sh. But due to some issue related to certificate or TLS maxmind does not authenticate at first step, subsequently DB download would never happen.

Maxmind asked me to reach either opnsense or ntop to reslove this issue and there is nothing more to be done from their side.
Its all started after upgrade to 20.7
August 15, 2020, 06:15:44 PM #4
It's working for me, also after the upgrade to 20.7

But, my download link is slightly different than yours: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=MyKEY&suffix=zip
August 19, 2020, 08:24:48 PM #5
Hi,
The link you have used is it for GeoIP or ntopng script
I'm getting error for ntopng script where tar.gz is used to download DB
While for GeoIP blocking zip is used in FW Aliases => GeoIP Setting => URL (this too has issue i think as last updated it shows as 2020-07-28T16:43:02)

I have even used link similar to yours but same error- Authentication
Print
Go Up Pages1
User actions